from the you're-not-built-for-this dept

We've noted for some time now how Verizon desperately wants to pivot from dull old broadband provider to sexy, Millennial-focused video advertising juggernaut. To accomplish this task, Verizon acquired both Yahoo and AOL, smushed them together, then hoped this would be enough to compete with the likes of Google and Facebook. The effort distracted the company from upgrading or repairing much of its fixed-line broadband footprint, since investing in networks isn't profitable enough, quickly enough, for many on Wall Street.

But Verizon's pivot hasn't been going so well. The company's Go90 video platform, which was supposed to be the cornerstone of the company's effort, recently fell flat on its face after Verizon spent $1.2 billion on the effort. And the company's Oath ad network, the combination of AOL and Yahoo, hasn't been doing much better, with Tim Armstrong (formerly of AOL) now heading for the exit (warning: annoying paywall):

"Mr. Armstrong, who came to Verizon in 2015 when it acquired AOL and helped steer its purchase of Yahoo two years later, had tried to combine the two internet companies to challenge Google and Facebook Inc. in digital advertising. But those efforts so far have failed to generate much growth or make the unit, called Oath, more than a side note in the wireless giant’s earnings."

Everyone (including Verizon) tends to forget that Verizon usually fails when it wanders outside of its core competencies (read: running networks and lobbying to kill consumer protections and hinder competitive threats). From the company's arguably terrible VCAST services to its failed app store, Verizon has long engaged in "me too" efforts that don't last because they're simply not good. And they're generally not good because, as a government-pampered telecom monopoly, Verizon simply isn't good at innovation, creativity, competition, disruption pr actually listening to your users. They're alien concepts to most Verizon executives.

The company's failed streaming partnership with RedBox was another such example, and who can forget the company's attempt to launch a news website dubbed Sugarstring that collapsed in embarrassment after critics pointed out Verizon tried to ban writers from talking about net neutrality or surveillance.

Ironically though, part of the reason given for Verizon's problems getting Oath off the ground (at least according to the Wall Street Journal's sources) is that the company wasn't willing to be snoopy enough:

"Verizon and Oath executives, however, have disagreed over what some employees within the digital ad unit see as an overly conservative approach to using wireless subscriber data to boost Oath’s advertising revenue, people familiar with those discussions say.

Senior executives within Verizon are wary of potentially alienating lucrative wireless customers in the name of adding incremental advertising revenue, these people said. Oath contributed less than $4 billion in revenue during the first half of the year, compared with the wireless business’s $44 billion.

Verizon agreed to share with Oath anonymous information on subscribers’ age, gender, phone language, and data plan size, for example. But these people say the carrier refused to share information on the apps customers used and their web browsing activity unless users explicitly opted in.

Verizon, you'll recall, was one of the key players responsible for killing FCC broadband privacy rules last year. It also faced a major privacy scandal after it was found the company was covertly modifying user wireless packets to track users around the internet without telling them or providing working opt out tools. It took security researchers two years to even discover this was happening, and another six months of public shaming before Verizon made it possible to opt out.

Gun shy from that experience, and wary of courting additional scandal as it rushed to kill consumer oversight (both on the national and state level), Verizon subsequently made Oath's snoopiest systems opt in. And the result pretty clearly highlights why ISPs and marketing folks hate the entire opt in paradigm:

"Given the choice, most of Verizon's 116.5 million wireless subscribers decided not to take the deal. Just 10 million of them have opted into the data-sharing program, known as Verizon Selects, according to the Journal."

Again, it's pretty ironic that Verizon only went the opt in route because it was wary of courting additional scandal after it was caught spying on all of its wireless users without its permission. But it really also can't be over-stated at how terrible government-pampered monopolies are at actually building innovative and competitive products. You'd think that eventually, Verizon would realize its best bet lies in doing what it's good at, be it running wireless networks, or lobbying the government to screw over competitors and consumers.

from the Verizon-gonna-Verizon dept

While all major webmail companies have veered away from the idea of automatically scanning private e-mails in a bid to monetize the content for behavioral advertising due to public backlash, that's simply not how Verizon rolls. According to a deep dive over at the Wall Street Journal (watch out for the paywall, here's a Verizon-owned Techcrunch alternative), Verizon and its Oath subsidiary now offer the country's only major webmail service that still thinks this practice is a good idea:

"Yahoo’s owner, the Oath unit of Verizon Communications, has been pitching a service to advertisers that analyzes more than 200 million Yahoo Mail inboxes and the rich user data they contain, searching for clues about what products those users might buy, said people who have attended Oath’s presentations as well as current and former employees of the company."

After backlash, Google ended its own practice of auto-monetizing e-mail content for behavioral ads last year, acknowledging that the practice doesn't exactly instill trust in your customers (e-mails are still automatically scanned as part of the company's "Smart Compose" feature, but content is no longer monetized). Apple has never scanned subscriber e-mails for this purpose, and Microsoft told Techcrunch this week that the company does “not use email content for ad targeting in any way, anywhere in Microsoft." The shift has been part of an effort to compete on privacy, which is an idea that should be encouraged.

Coming from the telecom sector, Verizon's not quite as familiar with this whole competition thing. In comments to the Journal, Oath's vice president of data, measurements and insights provided a very Verizon-esque response, suggesting the scanning was a public benefit to users eager to see more relevant ads:

"Mr. Sharp said that being served ads is part of the trade-off users make in exchange for free online services, and that Yahoo’s research shows they prefer ads that are relevant to them.

"Email is an expensive system,” Mr. Sharp said. "I think it’s reasonable and ethical to expect the value exchange, if you’ve got this mail service and there is advertising going on."

Yes, so ethical.

On the plus side, Verizon's e-mail scanning doesn't include health and medical information, though in the wild west of consumer privacy oversight that is the United States, you'd have a hard time confirming that this or other information (like financial data) isn't being exploited. After all, Verizon doesn't exactly have a great track record about being candid about this sort of thing. That said, it looks like even before Verizon came on board Yahoo's e-mail scanning and monetization system went notably further than Google's ever did:

"Initially, Yahoo mined users’ emails in part to discover products they bought through receipts from e-commerce companies such as Amazon.com Inc., people familiar with the practice said. Yahoo salespeople told potential advertisers that about one-third of Yahoo Mail users were active Amazon customers, one of the people said. In 2015, Amazon stopped including full itemized receipts in the emails it sends customers, partly because the company didn’t want Yahoo and others gathering that data for their own use, someone familiar with the matter said."

The problem is that while Verizon has hungrily eyed Silicon Valley giants' ad revenues for years, its effort to pivot into the ad sector isn't going so well. The company's Go90 video platform, purported to be the cornerstone of Verizon's Millennial-focused video ad ambitions, recently imploded after a fairly severe lack of public interest. And while Oath may ultimately prove to be a powerhouse in advertising, refusing to bend to competitive trends and consumer concerns by scanning the e-mails of millions of subscribers for an extra buck isn't a great way to build a trustworthy brand.

Of course, anybody surprised that Verizon would take the low road shouldn't be. After all, this is the same company that was caught a few years ago covertly modifying user wireless packets so it could track users around the internet without telling them. It took two years for security researchers to even notice it, and months more before Verizon could be bothered to offer a working opt out tool. And while the company was ultimately fined by the FCC for the practice, a bigger variant of that technology has long-since been implemented across Verizon's entire Oath (the combination of Yahoo and AOL) ad network.

Of course we haven't even gotten to Verizon's ultra-cozy relationship with the nation's intelligence apparatus yet, or the fact that giant ISPs routinely engage in pretty sleazy behavior to undermine pretty much any effort to shore up the nation's privacy standards, regardless of the quality of the effort. All while hoovering up and monetizing private user browsing and location data on a scale that pretty routinely makes the Facebook, Cambridge scandal look like child's play.

Granted if Verizon wants to undermine its own efforts to pivot into the online ad space that's its prerogative, but it might make sense for the traditionally myopic telecom giant to try and evolve on the consumer trust front as well. As an aside, if you're a Yahoo e-mail customer, you should be able to opt out here.

from the if-you-don't-fix-the-front,-you'll-be-paying-on-the-back-end dept

A federal judge is going to let a bunch of people keep suing Yahoo over its three-year run of continual compromise. Yahoo had hoped to get the class action suit tossed, stating that it had engaged in "unending" efforts to thwart attacks, but apparently it just wasn't good enough to prevent every single one of its three billion email accounts from falling into the hands of hackers.

In a decision on Friday night, U.S. District Judge Lucy Koh in San Jose, California rejected a bid by Verizon Communications Inc, which bought Yahoo’s Internet business last June, to dismiss many claims, including for negligence and breach of contract.

Koh dismissed some other claims. She had previously denied Yahoo’s bid to dismiss some unfair competition claims.

Yahoo was accused of being too slow to disclose three data breaches that occurred from 2013 and 2016, increasing users’ risk of identity theft and requiring them to spend money on credit freeze, monitoring and other protection services.

Three billion is a lot of potential class-mates, even though many Yahoos users had moved on to more viable/useful services long before the breach began. That being said, password reuse is common. So is the tendency to have the same user name in place across several platforms. And, needless to say, personally identifiable info stays the same, no matter what platform Yahoo's former users have strayed to.

The complaint -- amended again after news broke that Yahoo's entire user base had been compromised -- notes that Yahoo's "unending" efforts were routinely terrible, if not practically nonexistent. The suit points out multiple Yahoo hosts were compromised in 2008 and 2009. The next year, Google notified Yahoo that its systems were being used to attack Google. And in 2012, Yahoo suffered two breaches, including one stemming from a SQL injection attack that revealed the company unendingly stored passwords in plain text.

A couple of claims have been dismissed but the most damaging -- negligence -- remains. The plaintiffs so far have presented plenty of evidence that Yahoo handled users' PII extremely carelessly. From the decision [PDF]:

First, the contract entered into between the parties related to email services for Plaintiffs. Plaintiffs were required to turn over their PII to Defendants and did so with the understanding that Defendants would adequately protect Plaintiffs’ PII and inform Plaintiffs of breaches. Second, it was plainly foreseeable that Plaintiffs would suffer injury if Defendants did not adequately protect the PII. Third, the FAC asserts that hackers were able to gain access to the PII and that Defendants did not promptly notify Plaintiffs, thereby causing injury to Plaintiffs. Fourth, the injury was allegedly suffered exactly because Defendants provided inadequate security and knew that their system was insufficient. Fifth, Defendants “knew their data security was inadequate” and that “they [did not] have the tools to detect and document intrusions or exfiltration of PII.” “Defendants are morally culpable, given their repeated security breaches, wholly inadequate safeguards, and refusal to notify Plaintiffs . . . of breaches or security vulnerabilities.” Id. Sixth, and finally, Defendants’ concealment of their knowledge and failure to adequately protect Plaintiffs’ PII implicates the consumer data protection concerns expressed in California statutes, such as the CRA and CLRA.

Yahoo also has to keep fighting "deceit by concealment" allegations stemming from its delayed reporting of known security breaches.

Defendants also criticize Plaintiffs for continuing to use Yahoo Mail and taking no remedial actions after learning of Defendants’ allegedly inadequate security. However, Defendants fail to acknowledge that Defendants’ delayed disclosures are likely to have harmed Plaintiffs in the interim. Plaintiffs did not even know that they should take any remedial actions during the periods of Defendants’ delayed disclosures. Moreover, contrary to Defendants’ suggestion, the actions that Plaintiffs took after the fact do not conclusively determine what actions they would have taken if they had been alerted before the fact. The FAC provides at least one good reason why Plaintiffs may not have ceased their use of Yahoo Mail after the fact—namely, Plaintiffs have already established their “digital identities around Yahoo Mail.” Plaintiffs can consistently plead that they took minimal or no action after learning of the security defects but that they “would have taken measures to protect themselves” if they had been informed beforehand.

In total, Yahoo is still on the hook for 9 of 15 allegations related to the massive security breach. And it has no one to blame but itself if new owner Verizon ends up shelling out for damages. Yahoo's terrible security had been a problem for a half-decade before the 2013 breach. Three years later, it became clear everything Yahoo had collected on three billion email accounts was now in the hands of other people. This long line of breaches show Yahoo was very interested in increasing its user base, but much less motivated to protect their info.

from the foot-in-the-door-for-greater-government-control-of-web-content dept

The US government would like to be involved in the web censorship business. The anti-sex trafficking bill recently passed by the House would do just that, forcing service providers to pre-censor possibly harmless content out of fear of being sued for the criminal acts of private citizens. Much has been made recently of "fake news" and its distribution via Russian bots, with some suggesting legislation is the answer to a problem no one seems to be able to define. This too would be a form of censorship, forcing social media platforms to make snap decisions about new users and terminate accounts that seem too automated or too willing to distribute content Congressional reps feel is "fake."

For the most part, legislation isn't in the making. Instead, reps are hoping to shame, nudge, and coerce tech companies into self-censorship. This keeps the government's hands clean, but there's always the threat of a legal mandate backing legislators' suggestions.

Key critic of Russian bots and social media companies in general -- Senator Dianne Feinstein -- has signed a handful of letters asking four major tech companies to start censoring drug-related material. Her co-signers on these ridiculous letters are Chuck Grassley, Amy Klobuchar, John Kennedy, and Sheldon Whitehouse. As members of the Senate Caucus on International Narcotic Control, they apparently believe Microsoft, Yahoo (lol), Pinterest, and Google should start preventing users for searching for drug information. (h/t Tom Angell)

The letters [PDFs here: Google, Yahoo, Microsoft, Pinterest] all discuss the search results returned when people search for information on buying drugs. (For instance, "buy percocet online.") But the letter doesn't limit itself to asking these companies to ensure only legitimate sites show up in the search results. It actually asks the companies to censor all results for drug information.

The senators specifically urge Google, Microsoft, Yahoo and Pinterest to take the following steps in helping us fight the opioid crisis:

Directing users to legal and legitimate pharmacies that require a valid prescription as a condition of sale when users search for medicines on each platforms;

Disabling the ability to search for illicit drugs through each platform;

Requiring each platform to report to law enforcement when that platform receives information indicating that a company wants to advertise the use of or sale of illicit narcotics;

Establishing a 24/7 telephone point of contact with whom law enforcement can communicate directly; and

Incorporating training for each platform’s security reviewers to enable them to better recognize these threats when they first arise.

It's the second bullet point that's key. It simply says "disable the ability to search for illicit drugs." There's no way to comply with that directive that won't result in the disappearance of useful information needed by thousands of search engine users. As Angell points out in this tweet, this would possibly cause information about drug interactions to be delisted. On top of that, students often need to research illegal drugs for class assignments and term papers. Authors and journalists also need access to a variety of drug info, including various ways they can be purchased online. Law enforcement Googles stuff just like the rest of us and its ability to track down purveyors of illegal drugs would be harmed if it was all pushed off the open web.

Those seeking to buy illegal drugs would find other ways of accomplishing this even if the info disappears. The so-called dark web is an off-the-radar option that many are using already. A whole host of useful info is in danger of being removed simply because questionable purveyors of prescription drugs have found a way to game search engine algorithms.

All of the companies receiving letters already have policies in place to restrict the illicit sale of drugs. They also have policies in place to forward pertinent info to law enforcement agencies. So, companies are already doing much of what is asked, but these senators feel the mere existence of questionable sites in search results makes these companies "facilitators" of illegal drug sales.

If SESTA is signed into law, it will make it that much easier for the government to demand similar legislation targeting opioid distribution. It will allow the government to claw back more of the immunity granted to service providers with the passage of the Communications Decency Act. The more holes drilled into Section 230 by legislation, the easier it is to remove it entirely, and paint targets on the back of search engines and social media platforms.

It's also dangerous to suggest companies need to set up dedicated 24/7 service for law enforcement agencies. This will only encourage law enforcement to bypass legal protections set up by previous legislation and lean on companies already feeling the heat from the government's increasingly-insane reaction to opioid overdoses. Warrants will seem unnecessary when legislators in DC are saying tech companies must be more responsive to law enforcement than they already are.

A suggestion from the government to start censoring search results is exactly that: censorship. The government may not be mandating it, but this is nothing like a concerned citizens group asking for more policing of search results. There's the threat of legislation and other government action propelling it. Even if these senators aren't mandating policy changes, they're still using the weight of their position to compel alteration of search results.

from the this-is-bad dept

Just earlier this week we noted that a judge easily laughed Playboy's silly lawsuit out of court because merely linking to infringing content is not infringing itself. But a judge in New York, Judge Katherine Forrest, has ruled on a different case in a manner that is quite concerning, which goes against many other court rulings, and basically puts some fundamental concepts of how the internet works at risk. It's pretty bad. In short, she has ruled that merely embedding content from another site can be deemed infringing even if the new site is not hosting the content at all. This is wrong legally and technically, and hopefully this ruling will get overturned on appeal. But let's dig into the details.

The case involved a photographer, Justin Goldman, who took a photograph of quarterback Tom Brady on Snapchat. Somehow that image made its way from Snapchat to Reddit to Twitter. The photo went a bit viral, and a bunch of news organizations used Twitter's embed feature to show the tweet and the image. Goldman sued basically all the news publications that embedded the tweet -- including Breitbart, Vox, Yahoo, Gannett, the Boston Globe, Time and more. Now, multiple different courts around the country have said why this should not be seen as infringing by these publications. It's generally referred to as "the server test" -- in which to be direct infringement, you have to host the image yourself. This makes sense at both a technical and legal level because "embedding" an image is no different technically than linking to an image. It is literally the same thing -- you put in a piece of code that points the end user's computer to an image. The server at no point hosts or displays the image -- it is only the end user's computer. In the 9th Circuit, the various Perfect 10 cases have established the server test, and other courts have adopted it or similar concepts. In the 7th Circuit there was the famous Flavaworks case, where Judge Posner seemed almost annoyed that anyone could think that merely embedding infringing content could be deemed infringing.

But Judge Forrest has decided to carve a new path on this issue in Southern New York, teeing up (hopefully) an opportunity for the 2nd Circuit to tell her why she's wrong. Even more troubling, she actually relies on the awful Aereo "looks like a duck" test to come to this conclusion. Let's dig into her reasoning. The key issue here is the exclusive right to "display" a work under copyright, known as 106(5) under copyright law.

It's also important to note that this ruling is just at the summary judgment stage, and doesn't mean that the various publications will be found to have infringed -- it just means that the court is letting the case go forward, meaning that the various publications might now raise various defenses as to why their embedding is not infringing. It's still concerning, because given the "server test" in other jurisdictions, such a case would easily be tossed on a motion to dismiss or summary judgment because there's no legitimate claim of copyright infringement if no direct infringement can be shown. But here, Judge Forrest argues that because an embed leads an end user's computer to display an image, that somehow makes the publisher who included the embed code possibly liable for infringing the display right. Because it looks like a duck.

This is not a new issue by any means. I found a story from over a decade ago in which I warned that we'd see a lot more stupid lawsuits about embedding content from platforms, and have to admit I'm a bit surprised we haven't seen more. The reason that's the case is almost certainly because of the reliance of many courts on the server test, leading many to realize such an argument is a non-starter. Until now.

Forrest basically says that even though the image never touches the publisher's server, and the only thing the publisher is doing is linking to an image in a manner that makes the end-user's browser grab that image from another location and display it, it still counts as infringement -- because of the Aereo ruling. If you don't recall, Aereo involved a creative (if technically stupid) method for streaming over-the-air broadcast TV to users by setting up many local antennas that were legally allowed to receive the signals, and then transmitting them over the internet (which is also legal). But, the Supreme Court came up with a brand new test for why that's not allowed -- which we've called the "looks like a duck" test. The ruling found that because Aereo kinda looked like cable to the end user, the technical rigamarole in the background to make it legal simply doesn't matter -- all that matters is how things looked to the end user. Forrest argues the same is true here:

Moreover, though the Supreme Court has only weighed in obliquely on the issue, its language in Aereo is instructive. At heart, the Court’s holding eschewed the notion that Aereo should be absolved of liability based upon purely technical distinctions—in the end, Aereo was held to have transmitted the performances, despite its argument that it was the user clicking a button, and not any volitional act of Aereo itself, that did the performing. The language the Court used there to describe invisible technological details applies equally well here: “This difference means nothing to the subscriber. It means nothing to the broadcaster. We do not see how this single difference, invisible to subscriber and broadcaster alike, could transform a system that is for all practical purposes a traditional cable system into a ‘copy shop that provides patrons with a library card.’”

We were worried about the wider impact of the Aereo "duck" test -- and people told us it wasn't that big a deal. Indeed, until this ruling, Aereo hasn't been (successfully) cited very often. Many thought that the very specific nature of Aereo might limit that precedent to a very specific situation involving cable TV. This ruling suggests that the silly "duck" test may be spreading. And that's bad, because it's based on ignoring what's actually happening at the technological level, in which the technology may be designed specifically to not violate any of the exclusive rights of copyright law.

Also, it should worry people greatly that courts are using this "we don't care about what's actually happening, we just care what it looks like" standard for judging infringement. Because to infringe on a copyright requires a very specific set of facts. And here (as with Aereo) the court is saying "we don't care about whether or not it actually violates one of the exclusive rights granted under copyright, we only care if it looks like it infringes." That's... a huge change in the law, and it's not at all how copyright law has been judged in the past. It can and will be used to hamstring, limit, or destroy all sorts of unique and useful technological innovations.

Forrest also tries to distinguish this ruling from the Perfect 10 cases and the Flava Works case -- even admitting that other 2nd circuit courts have used the server test. But, she says, they were all different -- doing things like only using the server test for the distribution right, but not the display right, or not really endorsing the server test and ruling on other reasons.

Forrest also points to a trademark case that involved an embedded image which was found to be infringing -- but that's entirely different. The rules for trademark infringement are completely different than the exclusive rights related to copyright. With trademark, it's not as specific, and the use of someone else's logo broadly (as happened in the case cited) could easily be infringing on the trademark, but that doesn't get to the copyright question which involves much more carefully limited rights.

But, most troulbing of all, Forrest argues that the server test... is just wrong:

The Court declines defendants’ invitation to apply Perfect 10’s Server Test for two reasons. First, this Court is skeptical that Perfect 10 correctly interprets the display right of the Copyright Act. As stated above, this Court finds no indication in the text or legislative history of the Act that possessing a copy of an infringing image is a prerequisite to displaying it. The Ninth Circuit’s analysis hinged, however, on making a “copy” of the image to be displayed—which copy would be stored on the server. It stated that its holding did not “erroneously collapse the display right in section 106(5) into the reproduction right in 106(1).” Perfect 10 II, 508 F.3d at 1161. But indeed, that appears to be exactly what was done.

The Copyright Act, however, provides several clues that this is not what was intended. In several distinct parts of the Act, it contemplates infringers who would not be in possession of copies—for example in Section 110(5)(A) which exempts “small commercial establishments whose proprietors merely bring onto their premises standard radio or television equipment and turn it on for their customer’s enjoyment” from liability. H.R. Rep. No. 94-1476 at 87 (1976). That these establishments require an exemption, despite the fact that to turn on the radio or television is not to make or store a copy, is strong evidence that a copy need not be made in order to display an image.

Except... that's still very different. That's still a case where the "small commercial establishments" are showing the work. In this case -- and the very reason why the server test is so important -- the content in question is never on the publisher's premises or server. It only appears on the end user's browser, because that browser goes and fetches it.

Even more bizarre, Forrest argues that Perfect 10 and the server test are different because the image is displayed on the end user's computer:

In addition, the role of the user was paramount in the Perfect 10 case—the district court found that users who view the full-size images “after clicking on one of the thumbnails” are “engaged in a direct connection with third-party websites, which are themselves responsible for transferring content.” Perfect 10 I, 416 F. Supp. 2d at 843.

In this Court’s view, these distinctions are critical.

While this doesn't involve the end user "clicking" first to get the display, it's really no different. It is the end user who has the allegedly infringing content displayed on their computer, not the publisher. A direct connection is made between the end user and the hosting provider (in this case Twitter). The publisher never touches the actual content. Yet, Forrest argues that they can be direct infringers.

That's... wrong.

Despite the fact that EFF and others warned the court that this ruling would would massively upset the way the internet works, Forrest doesn't seem to believe them (or care)... because maybe fair use will protect people.

The Court does not view the results of its decision as having such dire consequences. Certainly, given a number as of yet unresolved strong defenses to liability separate from this issue, numerous viable claims should not follow.

In this case, there are genuine questions about whether plaintiff effectively released his image into the public domain when he posted it to his Snapchat account. Indeed, in many cases there are likely to be factual questions as to licensing and authorization. There is also a very serious and strong fair use defense, a defense under the Digital Millennium Copyright Act, and limitations on damages from innocent infringement.

That's... also wrong. Yes, publishers may be protected by fair use or other defenses. But fair use is much harder to get a ruling on at an early (summary judgment) stage in a case (a few courts are starting to allow this, but it's not all that common). Having the server test be good law would prevent a flood of these kinds of cases from being filed. Without it, people can troll media sites that embed tweets and go after them, leading to long and costly litigation, even if they have strong fair use defenses. Also, the reference above to releasing the image "into the public domain" is nonsensical. No one is arguing that the image was in the public domain. It is clearly covered by copyright.

Given what a total and complete mess this ruling will cause on the internet should it stand, I fully expect a robust appeal. The 2nd circuit can be a mixed bag on copyright, but often does a pretty good job in the end. One hopes that the 2nd circuit reverses this ruling, endorses the server test, and keeps the internet working as it was designed -- where embedding and linking to content doesn't magically make one liable for infringement.

from the yes-all-of-it dept

Given recent and massive stories about data security breaches by some very, very large players in the technology and financial spaces, we have developed a mantra that you should have on repeat in your head any time you read stories about a breach: however big the breach is reported to be initially, it's always bigger. We formulated that 12 years ago and it has continually held true. We saw it with Equifax. We saw it with Deloitte. And you will also likely recall that 2013 and 2014 were not banner years for data security at a little company called Yahoo. Hacks of Yahoo's email platform were reported initially to be in the hundreds of thousands in terms of the number of accounts compromised. As Verizon began negotiating the purchase of Yahoo, that number crept into the hundreds of millions. Eventually, Yahoo settled on a billion compromised accounts resulting from the hacks.

The Verizon deal went through, with a hefty price reduction as a result of the security breaches. And so it's under the Verizon umbrella that Yahoo informed the public this past week that the need for numerical quantification for the two security breaches has been rendered moot. Because it's much easier to just say, "Yahoo email was compromised." As in: all of it.

In 2016, Yahoo disclosed that more than one billion of about three billion accounts had likely been affected by the hack. In its disclosure Tuesday, the company said all accounts were likely victimized. Yahoo included the finding in a recent update to its Account Security Update page, saying that it found out about the wider breach through new intelligence obtained during the company's integration into Verizon Communications. Outside forensic experts assisted in the discovery, the company said.

"It is important to note that, in connection with Yahoo's December 2016 announcement of the August 2013 theft, Yahoo took action to protect all accounts. The company required all users who had not changed their passwords since the time of the theft to do so. Yahoo also invalidated unencrypted security questions and answers so they cannot be used to access an account," Yahoo said Tuesday.

Also important to note is that the yahoos at Yahoo were only able to correctly inform the public as to the specific number of accounts breached in these attacks once the use of numbers no longer mattered. Tooting its own horn about the actions it took to protect "all accounts" when it didn't even know that "all accounts" had indeed been compromised violates PR rule number 1: don't request praise in the middle of a crisis. The crisis, in this case, is why anyone should have a Yahoo email account at all moving forward, given how laughably bungled this whole mess has been handled.

But the larger point harkens back to the introduction: remember the mantra. These things are always, always way worse than initially reported. Why companies engage in this sort of slow-motion bandaid-pulling is beyond me, but it sure seems to be the playbook.

from the please-allow-me-to-entertain-you-with-my-legal-theories dept

Sometimes litigants start out with a good case... or at least a credible one. Then they ruin it by getting creative. The day-to-day work of adjudicating may be a bit dry, but novel legal arguments rarely provide anything more than entertainment for bystanders.

Lawyer and author Thomas Hall originally sued three individuals for alleged online harassment. According to his first complaint, Hall had drawn the ire of supposed white supremacists who bombarded him with hundreds of "threatening and disparaging emails." Hall sought a restraining order against the three defendants, but apparently needed a bit more personal info before he could get that order approved. [via Eric Goldman]

That's when he got creative. Having received no help from Yahoo in identifying the people behind the alleged harassment campaign, Hall decided to sue Yahoo as well. That's when the case went from credible to WTF. From the decision [PDF]:

On August 29 2014, Hall filed the instant action against Lund, Jessop, and Dunk for intentional infliction of emotional distress, libel, false light invasion of privacy, and invasion of privacy. In addition to those named or identified in the previous harassment action, Hall named as a defendant derHoaxster@gmail.com (derHoaxster), and alleged that derHoaxster had “published multiple statements disparaging Plaintiff as dishonest in his law practice and in his personal life.” Hall also named Yahoo as a defendant, based on allegations that Yahoo had published or republished threatening and defamatory statements made by Lund, Jessop, Dunk, and derHoaxster.

Yahoo, naturally, claimed it had done no such thing. It also pointed out postings by third parties were the third parties' problem, not Yahoo's. Hall, however, argued Yahoo could be proven to be responsible for the supposed republished content. The court humored him. Hall did not fail to disappoint.

On July 17, 2015, Hall filed a first amended complaint (FAC) that included the same causes of action alleged in his initial complaint as well as a new fifth cause of action against Yahoo for intentional interference with contract. In the new cause of action, Hall alleged that Yahoo had flooded his America Online (AOL) email account with more than 2000 emails denigrating AOL’s services. Hall’s FAC also alleged that Yahoo was not shielded by the CDA because Yahoo had failed to identify the users of the screen names who had posted defamatory statements about him, and that Yahoo itself was the “content provider” of those statements.

This was Hall's attempt to peel back Yahoo's Section 230 immunity. It's an interesting theory -- Yahoo's failure to identify strips it of immunity. It's also one without any legal basis. This amended complaint didn't do much for Hall. Yahoo responded with one of its own under California's anti-SLAPP law. In support of its motion, Yahoo submitted an affidavit stating it did not create any of the content in its forums, bulletin boards, chatrooms, etc.

Hall simply doubled down.

Hall opposed the demurrer and anti-SLAPP motion, arguing that Yahoo was not shielded from liability under the CDA because it had not provided, in response to Hall’s discovery requests, telephone numbers for the users of the screen names “pddunk@yahoo.com” and “derHoaxster@yahoo.com.”

Hall’s argument that Yahoo was required to identify the persons who posted the objectionable content by providing the names, addresses, telephone numbers, or other identifying information for such persons is legally unsupported. The CDA contains no such requirement, and Hall cites no authority that construes the statute to impose such a requirement. Delfino v. Agilent Technologies, Inc. (2006) 145 Cal.App.4th 790 (Delfino), a case on which Hall relies, undermines rather than supports his position. The court in Delfino concluded that because “there was no evidence that Agilent [the interactive computer service provider] played any role whatsoever in ‘the creation or development’ of” the objectionable content that was the subject of the action, it clearly satisfied the third element required for a finding of CDA immunity. (Id. at p. 807.) Here, there was undisputed evidence that Yahoo was not responsible, in whole or in part, for the content of the emails and posts that are the subject of Hall’s claims. The trial court accordingly did not err by granting the anti-SLAPP motion.

As the court points out earlier in the decision, Yahoo's declaration that it did not post or publish the allegedly defamatory content went uncontested by Hall. Instead, Hall picked his misunderstanding of Section 230 as the hill to die on. On top of having his lawsuit dismissed (both for failure to state a claim and under California's anti-SLAPP law), Hall will now be paying Yahoo's legal cost.

The decision here is another reminder of two things:

1. There is still no federal anti-SLAPP law, something that would greatly discourage baseless lawsuits like these from being brought in federal court. It would also discourage the same behavior in state courts, which is where this one was filed.

2. Section 230 provides important protections for service providers who are almost always the easiest party to find and serve, even if they've done nothing else but provide a platform for people to speak their minds.

from the well,-that's-cool... dept

You may remember, a few years ago, Verizon attempted to start its own tech blog, called "SugarString," where the founding editor they hired was telling potential reporters they couldn't write about net neutrality. After that got mocked around the web, the whole idea of SugarString faded away. However, these days, Verizon actually owns a ton of content sites. It bought AOL in 2015, which already owned the Huffington Post, Techcrunch, Engadget and more. More recently, of course, it bought Yahoo as well. Suddenly, Verizon owns a ton of tech reporting.

And here's the amazing thing: some of the best reporting about how awful Ajit Pai's net neutrality proposal is... is coming from those sites now owned by Verizon. For example, over at Yahoo News, Rob Pegoraro has been doing a great job debunking many of Ajit Pai's claims about the history of the internet. In particular, Pai and his supporters keep insisting that the move by then FCC boss Tom Wheeler in 2015 to reclassify broadband under Title II upset a consensus going back to the Bill Clinton years that broadband was not under Title II. Except that's... just wrong:

"Two years ago, the federal government's approach suddenly changed," Pai said. "The FCC, on a party-line vote, decided to impose a set of heavy-handed regulations upon the internet."

But as the FCC's own site shows, the commission didn't reclassify cable providers to lift them out of the common-carrier bucket until March 14, 2002, not 1996.

That's when the commission reclassified cable providers from open-ended "telecommunications services" to "information services" — a term that as, described in the 1996 law, better fits proprietary online services like floppy-disk-era AOL.

The commission didn't extend the same treatment to phone-based providers until 2005.

There's a lot more in that piece as well, correcting the blatant factual errors in Ajit Pai's claims about net neutrality.

Of course, you might claim that Verizon just purchased Yahoo, so perhaps word had not yet filtered down. But let's shift over to TechCrunch, which has been on the AOL banner for years, and the Verizon/AOL banner for quite some time as well. Over there, a reporter by the name of Devin Coldewey has written a series of truly excellent articles about the FCC's plans to roll back net neutrality. Those pieces are thorough, detail-oriented and not prone to the sorts of hyperbole that (unfortunately) have been seen on both sides of the net neutrality debate. For example, look at his article from last week that carefully goes through the arguments against net neutrality that people are making, and then carefully debunks each one. The piece is so damn good, I wish we ran it ourselves. For example, here's just one of the eight separate arguments that he debunks:

We’re not trying to remove net neutrality rules, just Title II

TL;DR: Removing the rules is literally in the proposal

It is frequently said that the point is not to remove the rules themselves, just change the authority to something a little less heavy-handed.

This is a puzzling assertion to make when the proposal itself asks over and over again whether the “bright line” rules of no blocking, no throttling, etc should be removed. It’s pretty clear that proponents don’t think the rules are necessary and will eliminate them if they can. Just because they frame their preference in the form of a question doesn’t make it any less obvious.

A sort of corollary to this argument is that internet providers will voluntarily adhere to suggested practices. This is a pretty laughable suggestion, and even if it were true, it self-destructs: if companies have no problem subjecting themselves to these restrictions, how can they be as onerous as they say?

The first point the FCC makes is regarding the text of the 1996 Telecommunications Act, and how it defines “telecommunications service” (how broadband is currently defined, allowing net neutrality rules to be effected) and “information service” (how it was before the net neutrality rule).

Now, I’m going to list the two definitions. Which one do you think sounds like what a broadband provider does?

“The offering of a capability for generating, acquiring, storing, transforming, processing, retrieving, utilizing, or making available information via telecommunications, and includes electronic publishing, but does not include any use of any such capability for the management, control, or operation of a telecommunications system.”

“The transmission, between or among points specified by the user, of information of the user’s choosing, without change in the form or content of the information as sent and received.”

Take your time.

...

Okay. Number 2, right? Because your ISP doesn’t store the data you post on Facebook, or the address you look up on Google Maps, or the Pope you read about on Wikipedia. It’s edge providers like the ones I just mentioned that do all the “generating, acquiring, storing,” and so on. ISPs just transmit the information, don’t they?

Perhaps it would surprise you, then, to hear that the FCC has the exact opposite idea of how the internet works!

This is good stuff. Thorough, careful, and detailed facts that totally undermine Ajit Pai and the FCC's arguments. And it's coming from a site owned by Verizon. Now, obviously, the good news out of this is that it appears that Verizon is not interfering with editorial on these sites. That's actually encouraging (though I do wonder if the company will push to have "the other side" heard on these sites as well). Honestly, though, the links above are to three of the best pieces I've seen on net neutrality and how the arguments being made by Ajit Pai are either faulty, bogus or, at the very least, misrepresent reality. It's just icing on the cake that they happen to be on sites owned by Verizon, a company that has been at the center of the fight to kill net neutrality, and even had to drum up a fake journalist to talk to one of its execs, who insisted that the company really loved net neutrality (note: it does not).

from the abort! dept

The saga of Facebook Live marches on, I suppose. The social media giant's bid to get everyone to live-stream content that mostly appears to be wholly uninteresting has nevertheless produced some interesting legal stories as a result. The latest of these is the conclusion of a string of lawsuits filed by a man who used Facebook Live to stream the birth of his child over copyright infringement against many, many news organizations that thought his act was newsworthy.

It was in May of 2016 that Kali Kanongataa accidentally publcly streamed his wife birthing the couple's son. He had intended for the stream to only be viewable to friends and family, but had instead made the stream viewable by pretty much everyone. Even after realizing he'd done so, Kanongataa kept the stream public, leading over 100,000 people to view the video -- including some folks in several news organizations, who used snippets of the stream in news stories about the couple's decision to stream this most intimate of moments.

And then came the lawsuits.

In September, Kanongataa filed suit (PDF) against ABC and Yahoo for showing portions of his video on Good Morning America as well as the ABC news website and a Yahoo site that hosts ABC content. He also sued COED Media Group and iHeartMedia. In October, he sued magazine publisher Rodale over a clip and screenshot used on the website for its magazine Women's Health. Last month, he sued Cox Communications.

In November, ABC lawyers filed a motion (PDF) calling their client's use of the Kanongataa clip a "textbook example of fair use." ABC used 22 seconds of a 45 minute video in order to produce a news story that would "enable viewers to understand and form an opinion about the couple's actions."

ABC's motion, embedded below, goes on to patiently explain to the court and, presumably, to Kanongataa's crack legal representation, that the entire point of the Fair Use defense was to allow small amounts of works to be used for the purpose of commentary and in news stories. Were lawsuits like this one to be victorious, news in the era of the image would come to a screeching halt. And, since the stories generated by these news organizations centered on the newsworthy nature of a couple streaming this sort of thing in the first place, use of such clips and images was perfectly in line with Fair Use usage in their reports.

The presiding judge, Lewis Kaplan, appears to have understood this correctly, having tossed the lawsuit against ABC and the other defendants.

Judge Kaplan's order shuts down Kanongataa's lawsuit against ABC, NBC, Yahoo, and COED Media Group. A lawsuit against CBS and Microsoft was dropped in November, possibly due to a settlement. The case against Rodale is still pending and is also being overseen by Judge Kaplan. Kanongataa's lawsuit against Cox was filed in a different district and remains pending in the Eastern District of New York.

This really is about as textbook a case of Fair Use as there could possibly be, leading us to wonder what in the world the legal team Kanongataa had hired was thinking in filing this in the first place.

from the dysfunction-junction dept

So last year we noted how Verizon proposed paying $4.8 billion to acquire Yahoo as part of its plan to magically transform from stodgy old telco to sexy new Millennial advertising juggernaut, which, for a variety of reasons, isn't going so well. One of those reasons is the fact that Yahoo failed to disclose the two, massive hacks (both by the same party) that exposed the credentials of millions of Yahoo customers during deal negotiations. The exposure included millions of names, email addresses, phone numbers, birthdates, hashed passwords (using MD5) and "encrypted or unencrypted" security questions and answers.

As noted previously, Verizon had been using the scandal to drive down the $4.8 billion asking price, reports stating that Verizon was demanding not only a $1 billion reduction in the price, but another $1 billion to cover the inevitable lawsuits by Yahoo customers.

"Verizon Communications Inc. is close to a renegotiated deal for Yahoo! Inc.’s internet properties that would reduce the price of the $4.8 billion agreement by about $250 million after the revelation of security breaches at the web company, according to people familiar with the matter...In addition to the discount, Verizon and the entity that remains of Yahoo after the deal, to be renamed Altaba Inc., are expected to share any ongoing legal responsibilities related to the breaches, said the people, who asked not to be identified discussing private information."

Yahoo wasn't always incompetent when it comes to security. In fact, at one point the company was considered among the best in the business, something that only began to change when CEO Marissa Mayer decided to begin cutting security corners. This came to light a few months back via a series of insider-fueled pieces highlighting how Mayer's business decisions actively worked to make Yahoo users less secure. Mayer was concerned, apparently, that actually being transparent with Yahoo customers about their (not so) private data would result in the company losing even more customers than it already had:

"According to the former Yahoo executive that Business Insider spoke to, Yahoo's culture of secrecy and its prioritization of other business goals led to troubling security practices that made it much more difficult for Yahoo to defend from hackers.
Yahoo's security team was often denied funding and sometimes kept in the dark at Mayer's direction, as she feared more emphasis on security could potentially spur a decline in the company's user base."

But at the end of the day, transparency builds trust in the brand, resulting in more loyal customers -- something Mayer apparently didn't understand. The ironic part being that much of this shift away from security was also occurring because Mayer was busy trying to make Yahoo a sexier acquisition target. Fortunately for all of us, this deal finally puts this entire sordid affair in the real-view mirror, and Verizon executives can get back to gobbling up foundering 90s internet brands, and convincing itself it has the disruptive DNA required to take on Google, Facebook and others in the quest for Millennial ad eyeballs.